Notes/FAQ: ---------- 1. "Ok, so how do I follow this?" http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/http://keyring.debian.org/creating-key.html2. "How can I be really sure/paranoid enough?" https://we.riseup.net/riseuplabs+paow/openpgp-best-practices3. Every 3-6 months, and/or before key expiry and major keysigning events, you should update your key expiry date with the 'expire' command (remember to do all subkeys). Put it on your calendar! 4. If you intend to sign on a slow alternative-arch, you may find adding a DSA1024 subkey significantly speeds up the signing. 5. Can you give me a full ~/.gnupg/gpg.conf file? === # -- robbat2's recommendations: keyserver pool.sks-keyservers.net emit-version default-recipient-self # -- All of the below portion from the RiseUp.net OpenPGP best practices, and # -- many of them are also in the Debian GPG documentation. # when outputting certificates, view user IDs distinctly from keys: fixed-list-mode # long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid) keyid-format 0xlong # when multiple digests are supported by all recipients, choose the strongest one: personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # preferences chosen for new keys should prioritize stronger algorithms: default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed # If you use a graphical environment (and even if you don't) you should be using an agent: # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) use-agent # You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: verify-options show-uid-validity list-options show-uid-validity # include an unambiguous indicator of which key made a signature: # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) sig-notation issuer-fpr [at] notations=%g # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA256 ===